blackmoon | 86634d71d3f5222dbc006286a0550d5f0ab5f9425b10bf29b36e28517a7a8fb8

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2025, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
Size

179KB
MD5

cc19f145489cbdfea8b86789a5897e92
SHA1

d137788d1c609dc801aec1eb314ea9c81aefff94
SHA256

86634d71d3f5222dbc006286a0550d5f0ab5f9425b10bf29b36e28517a7a8fb8
SHA512

7b5adc783c9619a1773cf66c9e4272215b0ac0dbae4d2d5611229a497039f864f275543d4f636580c0ea794837eacf4452461b722c3e724ed84e23854f87ada3
SSDEEP

3072:Q+twMj1oKKMWfSp+RgCq84f9Z2Pmj13qgiyfs/mjN1/O9H02T1XDPEHnf9Wu:xtwXnMWffgCqp9cg6kBT8HJTlPE1Wu

Score

10^/10

blackmoon banker defense_evasion discovery persistence trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2876-18-0x0000000000400000-0x0000000000449200-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	Cmweu1u.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	Cmweu1u.exe

Loads dropped DLL 64 IoCs

pid	Process
1040	rundll32.exe
1164	rundll32.exe
872	rundll32.exe
2724	rundll32.exe
4764	rundll32.exe
2040	rundll32.exe
992	rundll32.exe
4448	rundll32.exe
3344	rundll32.exe
2468	rundll32.exe
1416	rundll32.exe
3004	rundll32.exe
1932	rundll32.exe
4400	rundll32.exe
4208	rundll32.exe
4972	rundll32.exe
3784	rundll32.exe
856	rundll32.exe
1808	rundll32.exe
1576	rundll32.exe
1316	rundll32.exe
4996	rundll32.exe
4604	rundll32.exe
1416	rundll32.exe
3692	rundll32.exe
1508	rundll32.exe
2640	rundll32.exe
1524	rundll32.exe
1596	rundll32.exe
2676	rundll32.exe
2532	rundll32.exe
5020	rundll32.exe
1904	rundll32.exe
404	rundll32.exe
3504	rundll32.exe
1416	rundll32.exe
2624	rundll32.exe
1956	rundll32.exe
372	rundll32.exe
2756	rundll32.exe
4412	rundll32.exe
3080	rundll32.exe
4632	rundll32.exe
3808	rundll32.exe
1808	rundll32.exe
4132	rundll32.exe
5112	rundll32.exe
2416	rundll32.exe
5096	rundll32.exe
4960	rundll32.exe
1556	rundll32.exe
4900	rundll32.exe
2284	rundll32.exe
2348	rundll32.exe
2840	rundll32.exe
872	rundll32.exe
2448	rundll32.exe
4632	rundll32.exe
856	rundll32.exe
4800	rundll32.exe
3384	rundll32.exe
1240	rundll32.exe
3412	rundll32.exe
4224	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00080000000227ba-13.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240621625.txt,M"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
1040	rundll32.exe
1040	rundll32.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
1040	rundll32.exe
1040	rundll32.exe
872	rundll32.exe
872	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe
4764	rundll32.exe
4764	rundll32.exe
2040	rundll32.exe
2040	rundll32.exe
992	rundll32.exe
992	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe
1416	rundll32.exe
1416	rundll32.exe
3004	rundll32.exe
3004	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
4400	rundll32.exe
4400	rundll32.exe
4208	rundll32.exe
4208	rundll32.exe
4972	rundll32.exe
4972	rundll32.exe
3784	rundll32.exe
3784	rundll32.exe
856	rundll32.exe
856	rundll32.exe
1808	rundll32.exe
1808	rundll32.exe
1576	rundll32.exe
1576	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4604	rundll32.exe
4604	rundll32.exe
1416	rundll32.exe
1416	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1040	rundll32.exe
1164	rundll32.exe
872	rundll32.exe
2724	rundll32.exe
4764	rundll32.exe
2040	rundll32.exe
992	rundll32.exe
4448	rundll32.exe
3344	rundll32.exe
2468	rundll32.exe
1416	rundll32.exe
3004	rundll32.exe
1932	rundll32.exe
4400	rundll32.exe
4208	rundll32.exe
4972	rundll32.exe
3784	rundll32.exe
856	rundll32.exe
1808	rundll32.exe
1576	rundll32.exe
1316	rundll32.exe
4996	rundll32.exe
4604	rundll32.exe
1416	rundll32.exe
3692	rundll32.exe
1508	rundll32.exe
2640	rundll32.exe
1524	rundll32.exe
1596	rundll32.exe
2676	rundll32.exe
2532	rundll32.exe
5020	rundll32.exe
1904	rundll32.exe
404	rundll32.exe
3504	rundll32.exe
1416	rundll32.exe
2624	rundll32.exe
1956	rundll32.exe
372	rundll32.exe
2756	rundll32.exe
4412	rundll32.exe
3080	rundll32.exe
4632	rundll32.exe
3808	rundll32.exe
1808	rundll32.exe
4132	rundll32.exe
5112	rundll32.exe
2416	rundll32.exe
5096	rundll32.exe
4960	rundll32.exe
1556	rundll32.exe
4900	rundll32.exe
2284	rundll32.exe
2348	rundll32.exe
2840	rundll32.exe
872	rundll32.exe
2448	rundll32.exe
4632	rundll32.exe
856	rundll32.exe
4800	rundll32.exe
3384	rundll32.exe
1240	rundll32.exe
3412	rundll32.exe
4224	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2460	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	88
PID 2876 wrote to memory of 2460	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	88
PID 2876 wrote to memory of 2460	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	88
PID 2460 wrote to memory of 1040	2460	Cmweu1u.exe	93
PID 2460 wrote to memory of 1040	2460	Cmweu1u.exe	93
PID 2460 wrote to memory of 1040	2460	Cmweu1u.exe	93
PID 2460 wrote to memory of 720	2460	Cmweu1u.exe	94
PID 2460 wrote to memory of 720	2460	Cmweu1u.exe	94
PID 2460 wrote to memory of 720	2460	Cmweu1u.exe	94
PID 2876 wrote to memory of 2936	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	97
PID 2876 wrote to memory of 2936	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	97
PID 2876 wrote to memory of 2936	2876	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	97
PID 2316 wrote to memory of 3968	2316	cmd.exe	101
PID 2316 wrote to memory of 3968	2316	cmd.exe	101
PID 3968 wrote to memory of 1164	3968	rundll32.exe	102
PID 3968 wrote to memory of 1164	3968	rundll32.exe	102
PID 3968 wrote to memory of 1164	3968	rundll32.exe	102
PID 380 wrote to memory of 3232	380	cmd.exe	105
PID 380 wrote to memory of 3232	380	cmd.exe	105
PID 3232 wrote to memory of 872	3232	rundll32.exe	106
PID 3232 wrote to memory of 872	3232	rundll32.exe	106
PID 3232 wrote to memory of 872	3232	rundll32.exe	106
PID 2448 wrote to memory of 4232	2448	cmd.exe	109
PID 2448 wrote to memory of 4232	2448	cmd.exe	109
PID 4232 wrote to memory of 2724	4232	rundll32.exe	110
PID 4232 wrote to memory of 2724	4232	rundll32.exe	110
PID 4232 wrote to memory of 2724	4232	rundll32.exe	110
PID 3808 wrote to memory of 4700	3808	cmd.exe	115
PID 3808 wrote to memory of 4700	3808	cmd.exe	115
PID 4700 wrote to memory of 4764	4700	rundll32.exe	116
PID 4700 wrote to memory of 4764	4700	rundll32.exe	116
PID 4700 wrote to memory of 4764	4700	rundll32.exe	116
PID 3576 wrote to memory of 4156	3576	cmd.exe	119
PID 3576 wrote to memory of 4156	3576	cmd.exe	119
PID 4156 wrote to memory of 2040	4156	rundll32.exe	120
PID 4156 wrote to memory of 2040	4156	rundll32.exe	120
PID 4156 wrote to memory of 2040	4156	rundll32.exe	120
PID 2592 wrote to memory of 4800	2592	cmd.exe	123
PID 2592 wrote to memory of 4800	2592	cmd.exe	123
PID 4800 wrote to memory of 992	4800	rundll32.exe	124
PID 4800 wrote to memory of 992	4800	rundll32.exe	124
PID 4800 wrote to memory of 992	4800	rundll32.exe	124
PID 1316 wrote to memory of 4448	1316	rundll32.exe	128
PID 1316 wrote to memory of 4448	1316	rundll32.exe	128
PID 1316 wrote to memory of 4448	1316	rundll32.exe	128
PID 3524 wrote to memory of 4996	3524	cmd.exe	131
PID 3524 wrote to memory of 4996	3524	cmd.exe	131
PID 4996 wrote to memory of 3344	4996	rundll32.exe	132
PID 4996 wrote to memory of 3344	4996	rundll32.exe	132
PID 4996 wrote to memory of 3344	4996	rundll32.exe	132
PID 4576 wrote to memory of 4604	4576	cmd.exe	135
PID 4576 wrote to memory of 4604	4576	cmd.exe	135
PID 4604 wrote to memory of 2468	4604	rundll32.exe	136
PID 4604 wrote to memory of 2468	4604	rundll32.exe	136
PID 4604 wrote to memory of 2468	4604	rundll32.exe	136
PID 3304 wrote to memory of 3984	3304	cmd.exe	139
PID 3304 wrote to memory of 3984	3304	cmd.exe	139
PID 3984 wrote to memory of 1416	3984	rundll32.exe	192
PID 3984 wrote to memory of 1416	3984	rundll32.exe	192
PID 3984 wrote to memory of 1416	3984	rundll32.exe	192
PID 4368 wrote to memory of 1332	4368	cmd.exe	256
PID 4368 wrote to memory of 1332	4368	cmd.exe	256
PID 1332 wrote to memory of 3004	1332	rundll32.exe	144
PID 1332 wrote to memory of 3004	1332	rundll32.exe	144

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\Cmweu1u.exe
  C:\Users\Admin\AppData\Local\Temp\Cmweu1u.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240621625.bat
    3⤵
    PID:720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe"
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1688
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3056
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4724
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2280
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3080
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4632
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:788
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2920
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1740
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2416
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:5096
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:452
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:904
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4992
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1932
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1508

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4564
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:872
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4624
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3772
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2664
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:392
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:916
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4008
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2424
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:536
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2748
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1636
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3708
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2348
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1332
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2164
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4208
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4972
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3784
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2628
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2312
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4284
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1316
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:536
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1588
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3692
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:5048
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4572
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:5056
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3188
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3608
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1520
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1808
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:992
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4852
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4668
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2468
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3660
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3648
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4220
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1508
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:372
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4724
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4660
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3552
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:908
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:5076
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2628
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2052
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4284
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2172
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4132
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3628
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2424
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:400
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4224
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:452
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3524
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1556
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1956
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4220
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:232
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2608
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:872
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:924
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1596
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4700
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1968
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1868
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4484
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2192
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2988
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2868
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2832
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4036
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3524
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2948
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4900
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4240
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3392
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3184
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2756
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3932
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1004
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:740
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4232
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3556
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3808
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:856
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1540
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5020
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3476
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3012
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:956
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4008
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1996
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2332
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3712
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1480
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3364
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1180
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:804
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4256
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4624
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3268
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2568
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:224
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3636
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:3388
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:632
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2668
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2056
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1044
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:5028
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:1568
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:2000
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:924
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
1⤵
PID:4860
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240621625.txt,M
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240621625.bat

Filesize
130B

MD5
18d8285d786ec10eaa0740b9f10d74dd

SHA1
3a187102cd1633dd748812755d2125ed97c2e1fb

SHA256
4017bab15ad44309f3ff122d0cfe18c2a1d0cf1046937b76a589596f919b68f1

SHA512
4c1e6ce596b0a5165ee072505721de47393cd4cee1ab030404e82e94a5963bb7f805ef4ffa62a1af158cafe2b9eb5d3f66fd7b4098ac9a112684cfea7b360db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\240621625.txt

Filesize
112KB

MD5
517caa9f653c03b451e7ddae0a802cca

SHA1
602ffbb74ed53646b8822efac96ee7ef3743c8bb

SHA256
55745c824b8c4e06e3f9374ba34eb880a5e95614aa3d07d70a31845459f0ccc0

SHA512
a80bfe58940b284f19eb515402df2acec7ec212b762eaf9ef8e10fb8ee81541268d287ec28496be09e0b7f7354a013558217682c8f016b4c11a051259fc7f999

Download Submit
memory/2460-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2460-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2876-0-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download
memory/2876-18-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download